search

netbox-community / netbox

The premier source of truth powering network automation. Open source under Apache 2. Try NetBox Cloud free: https://netboxlabs.com/free-netbox-cloud/
http://netboxlabs.com/oss/netbox/
Apache License 2.0
16.16k stars 2.59k forks source link

No [documented] way to disable TLS verification for NAPALM with EOS. #10222

Closed bz-maldridge closed 2 years ago

bz-maldridge commented 2 years ago

NetBox version

v3.2.9

Python version

3.10

Steps to Reproduce

Use the netbox-docker v3.2.9 tag and setup an arista EOS device with eAPI enabled using the default parameters, which creates a self-signed certificate. Attempt to use NAPALM to discover its LLDP neighbors or status information.

Expected Behavior

I expect the system to work. I should be able to query via eAPI and have an option to disable certificate verification so that even if I haven't got things fully valid via a chain of trust I can still connect using an encrypted channel.

Observed Behavior

NetBox tries to validate the certificates. There doesn't seem to be any way, at least not documented, to disable this validation for EOS targets. In an earlier 3.x version this worked (I don't know what version, we jumped through several in quick succession upgrading from early 2.x).

Having read all the way down the source tree to pyEOS it looks like there is support for doing this, but not in any meaningful way that can be enabled, so maybe this becomes a feature request?

DanSheps commented 2 years ago

Having read all the way down the source tree to pyEOS it looks like there is support for doing this, but not in any meaningful way that can be enabled, so maybe this becomes a feature request?

It does not look like there is native support for this in napalm (it is not in the list of supported arguments), which means this would need to be added to Napalm first. Alternatively, it looks like you can disable it on the OS level for napalm/pyeos using either an environment variable or a configuration file.

There are two routes forward:

  1. This is supported in Napalm, in which case, setting the appropriate napalm arguments should get this working
  2. This is not supported in Napalm, in which case you need to open a FR in the Napalm repository

This does not appear to be a NetBox bug, in either event, so I am going to close out this issue as Napalm functionality of this nature is not in our pervue to change.

kkthxbye-code commented 2 years ago

@bz-maldridge - Try setting the napalm args to:

NAPALM_ARGS = {
    'enforce_verification': False
}

https://github.com/arista-eosplus/pyeapi/blob/dffe311be9789694d35a1277a9d18a05ea1b16cb/pyeapi/eapilib.py#L603-L606

https://github.com/napalm-automation/napalm/blob/d297056ff191d2fe447b5467504554415398d78f/napalm/eos/eos.py#L162

Alternatively it seems like it takes an instance of EapiConnection which you can pass in NAPALM args as the transport option.

https://github.com/napalm-automation/napalm/blob/d297056ff191d2fe447b5467504554415398d78f/napalm/eos/eos.py#L109-L110

Transport gets parsed here:

https://github.com/napalm-automation/napalm/blob/d297056ff191d2fe447b5467504554415398d78f/napalm/eos/eos.py#L139-L149

Not sure where you see pyEOS being the backend, it seems to be pyeapi.

That should get you started. However, as Dan pointed out, if you can't get this to work you have to get it fixed upstream. It is also unfeasible for us to document NAPALM fully for all supported devices in the context of netbox.

bz-maldridge commented 2 years ago

@DanSheps

Alternatively, it looks like you can disable it on the OS level for napalm/pyeos using either an environment variable or a configuration file.

I did not see such an option in my research, if you can link which document you're looking at I'd appreciate it.

@kkthxbye-code You are correct it is pyeapi and not pyEOS, I was typing this up while on a call with $dayjob's network engineering team and mixed up my libraries. I made the same tracing of code as you and I saw where there is the enforce_verification key being parsed out of the context, but there doesn't appear to actually be a way to set that in the context. I tried editing the NAPALM_ARGS in the Platform section of the configuration for the specific platform definition I'm having trouble with, and it doesn't seem like I can specify python types in there, I certainly can't construct an entire EapiConnection object in there.

As a last resort I suppose I could build a small python file that sets this up and inject it into the netbox container, but I'd prefer to not do this.

As this was closed as Not Planned, perhaps a notice should go into the docs that the default configuration does not work with EOS switches, and either the switch must be provisioned with a real certificate (which I don't think would matter here since netbox tries to contact it via IP) or netbox must be instructed to use http transport.

kkthxbye-code commented 2 years ago

As this was closed as Not Planned, perhaps a notice should go into the docs that the default configuration does not work with EOS switches

As this is an upstream issue we really can't note it in the documentation. If you can demonstrate a bug in netbox we can fix it, otherwise you will have to create an issue with napalm or pyeapi.

that the default configuration does not work with EOS switches

As we don't call out any specific support of any devices as far as I can tell, but instead refer to the napalm documentation, you could ask napalm to put it in their docs.

I tried editing the NAPALM_ARGS in the Platform section of the configuration for the specific platform definition I'm having trouble with, and it doesn't seem like I can specify python types in there, I certainly can't construct an entire EapiConnection object in there.

The transport argument seems to be able to take an import path as a string, so you could mount a file to your container or make a custom image and point it at that.

Again, if you can demonstrate that the issue is caused by netbox and not upstream, we'll gladly re-open.